Re: Logs for API calls
Matthieu, The commands work independently...if I use the command "New-GuacUser -DataSource mysql -Parameters $GuacParameters" to create a single user, it works fine. I start getting the error when I put the command into a foreach loop and pull in names from a text file. Other functions, like "Add-GuacUserConnection" in a foreach loop work just fine. I will open an issue on github as you ask. Still, if there is a log someplace that can show me these API calls, it might help reveal what the issue is. Jim Sent: Thursday, April 21, 2022 at 12:42 PM From: "Matthieu Courtois" To: user@guacamole.apache.org Subject: Re: Logs for API calls Hello, Please open an issue on Github, I will check what is going on UpperM Le jeu. 21 avr. 2022 à 15:36, Jim Rx <jimr...@mail.com> a écrit : Hello, I am using a powershell guacamole module from UpperM on GitHub that seems to work very well. However, I've been having trouble with adding groups of users. The server returns an HTTP 500 Internal Server Error. Does Guacamole keep logs specific to API cals? I'm hoping to see what is causing the error. Thanks Jim - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Logs for API calls
Hello, I am using a powershell guacamole module from UpperM on GitHub that seems to work very well. However, I've been having trouble with adding groups of users. The server returns an HTTP 500 Internal Server Error. Does Guacamole keep logs specific to API cals? I'm hoping to see what is causing the error. Thanks Jim - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: How To have multiple LDAP servers?
Johnathan, I will give it a try. It would be nice to know the logic/process Guacamole uses in this case. Thanks Jim Sent: Wednesday, March 23, 2022 at 10:25 AM From: "Hankins, Jonathan" To: user@guacamole.apache.org Subject: Re: How To have multiple LDAP servers? Jim, What LDAP server are you using? Are you wanting multiple LDAP servers for fault-tolerance / load balancing? If you are using AD LDAP, you can use the DNS name of the domain instead of individual DCs and you will get DNS round robin. I am not sure how the LDAP library that Guacamole uses handles this, and I don't know if it has any logic to, e.g., try the 2nd IP if the first one doesn't respond. You could probably also handle this kind of situation with a load balancer (like haproxy) in front of your LDAP. If you are trying to authenticate against multiple, different LDAP domains (i.e., users in domain 1 OR users in domain 2), that'd be up to guacamole to support, and I don't see anything indicating that in the documentation. If you are in an AD situation where you have multiple domains all in one forest and want to query across the forest, you can do that by querying the Global Catalog port instead of the normal LDAP port, and enabling following of referrals, I think. Your search filter would have to be permissive enough to work for both domains, but not over-match, since you only get one search filter. Good luck! On Tue, Mar 22, 2022 at 6:53 AM Jim Rx <jimr...@mail.com> wrote: We came upon this requirement yesterday -- how to I configure guacamole.properties so that there are multiple LDAP servers available to query? Can I simply have more than one ldap-hostname entries? Thanks Jim - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org -- Jonathan Hankins Homewood City Schools W: 205-877-4548 This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments are prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved. - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
How To have multiple LDAP servers?
We came upon this requirement yesterday -- how to I configure guacamole.properties so that there are multiple LDAP servers available to query? Can I simply have more than one ldap-hostname entries? Thanks Jim - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: is there any method to remove "guacamole" in web url
Use a proxy. For example, we have NGINX set up to forward web requests to https://guac.domain.tld/ to https://guac.domain.tld:8080/guacamole/ . The user only has to type in the https://guac.domain.tld Here is a web page that talks about it How to Set up a Reverse Proxy (Step-By-Step for Nginx & Apache) Sent: Tuesday, March 01, 2022 at 2:18 AM From: "Simon" To: "user@guacamole.apache.org" Subject: is there any method to remove "guacamole" in web url hello, in default, we visit guac in browser, root web rul contain "guacamole". is there any method to remove "guacamole" in web url? thx - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Problems with GuacamoleHTTPTunnelServlet
Craig, I verified that guacd is running (systemctl status guacd) and then issued the command telnet localhost 4822. I successfully connected. root@guac:~# telnet localhost 4822 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is ^]'. I pressed enter and the connection was 'closed by foreign host' So it appears that 4822 is available on the localhost. Thanks, Jim Sent: Monday, February 28, 2022 at 12:34 PM From: "Craig Sawyer" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet Could this be a firewall thing? Can you open a TCP connection to 127.0.0.1:4822? You obviously won't do anything useful, since you won't speak the guacd protocol, but that's not the point. Just make sure you can open a network connection to guacd. If you can't, then FW or perhaps guacd isn't really opening the port it says it is, etc. will require some troubleshooting. Hope this helps, -Craig On Mon, Feb 28, 2022 at 8:59 AM Jim Rx wrote: > > Nick, > > Yes, Guac and Tomcat are on the same VM. > > As requested: > > root@guac:~# ls /etc/guacamole > extensions guacamole.properties guacamole.war guacd.conf lib user-mapping.xml > root@guac:~# > root@guac:~# cat /etc/guacamole/guacamole.properties > # Hostname and Guac Server Port > guacd-hostname: 127.0.0.1 > guacd-port: 4822 > user-mapping: /etc/guacamole/user-mapping.xml > auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > # MySQL properties > mysql-hostname: localhost > mysql-port: 3306 > mysql-database: guacamole_db > mysql-username: guacamole_user > mysql-password: SuperSecret > mysql-auto-create-accounts: true > > # LDAP Properties > ldap-hostname: 1.2.3.4 > ldap-port: 389 > ldap-encryption-method: none > ldap-user-base-dn: DC=domain,DC=tld > ldap-username-attribute: samAccountName > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=domain, dc=tld > ldap-search-bind-password: SuperSecret > ldap-user-search-filter: (sAMAccountType=805306368) > > root@guac:~# cat /etc/guacamole/guacd.conf > [server] > bind_host = 127.0.0.1 > bind_port = 4822 > root@guac:~# > root@guac:~# systemctl status guacd tomcat9 > ? guacd.service - LSB: Guacamole proxy daemon > Loaded: loaded (/etc/init.d/guacd; generated) > Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago > Docs: man:systemd-sysv-generator(8) > Process: 806 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS) > Tasks: 1 (limit: 4639) > Memory: 9.9M > CPU: 22ms > CGroup: /system.slice/guacd.service > +-814 /usr/local/sbin/guacd -p /var/run/guacd.pid > Feb 28 10:52:43 guac systemd[1]: Starting LSB: Guacamole proxy daemon... > Feb 28 10:52:43 guac guacd[812]: Guacamole proxy daemon (guacd) version 1.4.0 started > Feb 28 10:52:43 guac guacd[806]: Starting guacd: > Feb 28 10:52:43 guac guacd[812]: guacd[812]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started > Feb 28 10:52:43 guac guacd[806]: SUCCESS > Feb 28 10:52:43 guac systemd[1]: Started LSB: Guacamole proxy daemon. > Feb 28 10:52:43 guac guacd[814]: Listening on host 127.0.0.1, port 4822 > ? tomcat9.service - Apache Tomcat 9 Web Application Server > Loaded: loaded (/lib/systemd/system/tomcat9.service; enabled; vendor preset: enabled) > Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago > Docs: https://tomcat.apache.org/tomcat-9.0-doc/index.html > Process: 817 ExecStartPre=/usr/libexec/tomcat9/tomcat-update-policy.sh (code=exited, status=0/SUCCESS) > Main PID: 822 (java) > Tasks: 38 (limit: 4639) > Memory: 305.0M > CPU: 16.325s > CGroup: /system.slice/tomcat9.service > +-822 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties -Djava.util.logging.manager=org.apache> > Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.701 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> > Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.702 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> > Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> > Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1> > Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.704 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> > Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.705 [http-nio-8080-exec-2] I
Re: Problems with GuacamoleHTTPTunnelServlet
Nick, Yes, Guac and Tomcat are on the same VM. As requested: root@guac:~# ls /etc/guacamole extensions guacamole.properties guacamole.war guacd.conf lib user-mapping.xml root@guac:~# root@guac:~# cat /etc/guacamole/guacamole.properties # Hostname and Guac Server Port guacd-hostname: 127.0.0.1 guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # MySQL properties mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: SuperSecret mysql-auto-create-accounts: true # LDAP Properties ldap-hostname: 1.2.3.4 ldap-port: 389 ldap-encryption-method: none ldap-user-base-dn: DC=domain,DC=tld ldap-username-attribute: samAccountName ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=domain, dc=tld ldap-search-bind-password: SuperSecret ldap-user-search-filter: (sAMAccountType=805306368) root@guac:~# cat /etc/guacamole/guacd.conf [server] bind_host = 127.0.0.1 bind_port = 4822 root@guac:~# root@guac:~# systemctl status guacd tomcat9 ? guacd.service - LSB: Guacamole proxy daemon Loaded: loaded (/etc/init.d/guacd; generated) Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago Docs: man:systemd-sysv-generator(8) Process: 806 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 4639) Memory: 9.9M CPU: 22ms CGroup: /system.slice/guacd.service +-814 /usr/local/sbin/guacd -p /var/run/guacd.pid Feb 28 10:52:43 guac systemd[1]: Starting LSB: Guacamole proxy daemon... Feb 28 10:52:43 guac guacd[812]: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 10:52:43 guac guacd[806]: Starting guacd: Feb 28 10:52:43 guac guacd[812]: guacd[812]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 10:52:43 guac guacd[806]: SUCCESS Feb 28 10:52:43 guac systemd[1]: Started LSB: Guacamole proxy daemon. Feb 28 10:52:43 guac guacd[814]: Listening on host 127.0.0.1, port 4822 ? tomcat9.service - Apache Tomcat 9 Web Application Server Loaded: loaded (/lib/systemd/system/tomcat9.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago Docs: https://tomcat.apache.org/tomcat-9.0-doc/index.html Process: 817 ExecStartPre=/usr/libexec/tomcat9/tomcat-update-policy.sh (code=exited, status=0/SUCCESS) Main PID: 822 (java) Tasks: 38 (limit: 4639) Memory: 305.0M CPU: 16.325s CGroup: /system.slice/tomcat9.service +-822 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties -Djava.util.logging.manager=org.apache> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.701 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.702 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.704 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.705 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.705 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06002_REGISTERED_INTERMEDIATE_FACTORY (1.3.6.1.> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.867 [http-nio-8080-exec-2] INFO o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from 12> Feb 28 10:53:12 guac tomcat9[822]: 10:53:12.438 [http-nio-8080-exec-5] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. Feb 28 10:53:22 guac tomcat9[822]: 10:53:22.502 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd tim> root@guac:~# - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Problems with GuacamoleHTTPTunnelServlet
Yes. No output to the console. Just to be sure I ran it again: root@guac:~# systemctl status guacd ? guacd.service - LSB: Guacamole proxy daemon Loaded: loaded (/etc/init.d/guacd; generated) Active: active (running) since Mon 2022-02-28 10:24:47 CST; 45s ago Docs: man:systemd-sysv-generator(8) Process: 524 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 4639) Memory: 13.5M CPU: 15ms CGroup: /system.slice/guacd.service +-594 /usr/local/sbin/guacd -p /var/run/guacd.pid Feb 28 10:24:46 guac systemd[1]: Starting LSB: Guacamole proxy daemon... Feb 28 10:24:47 guac guacd[527]: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 10:24:47 guac guacd[524]: Starting guacd: Feb 28 10:24:47 guac guacd[527]: guacd[527]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 10:24:47 guac guacd[524]: SUCCESS Feb 28 10:24:47 guac systemd[1]: Started LSB: Guacamole proxy daemon. Feb 28 10:24:47 guac guacd[594]: Listening on host 127.0.0.1, port 4822 root@guac:~# root@guac:~# root@guac:~# systemctl stop guacd root@guac:~# root@guac:~# systemctl status guacd ? guacd.service - LSB: Guacamole proxy daemon Loaded: loaded (/etc/init.d/guacd; generated) Active: inactive (dead) since Mon 2022-02-28 10:25:41 CST; 4s ago Docs: man:systemd-sysv-generator(8) Process: 524 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS) Process: 746 ExecStop=/etc/init.d/guacd stop (code=exited, status=0/SUCCESS) CPU: 23ms Feb 28 10:24:47 guac guacd[524]: Starting guacd: Feb 28 10:24:47 guac guacd[527]: guacd[527]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 10:24:47 guac guacd[524]: SUCCESS Feb 28 10:24:47 guac systemd[1]: Started LSB: Guacamole proxy daemon. Feb 28 10:24:47 guac guacd[594]: Listening on host 127.0.0.1, port 4822 Feb 28 10:25:41 guac systemd[1]: Stopping LSB: Guacamole proxy daemon... Feb 28 10:25:41 guac guacd[746]: Stopping guacd: SUCCESS Feb 28 10:25:41 guac systemd[1]: guacd.service: Succeeded. Feb 28 10:25:41 guac systemd[1]: guacd.service: Unit process 594 (guacd) remains running after unit stopped. Feb 28 10:25:41 guac systemd[1]: Stopped LSB: Guacamole proxy daemon. root@guac:~# root@guac:~# root@guac:~# ss -alnp | grep guacd root@guac:~# root@guac:~# root@guac:~# root@guac:~# ./usr/local/sbin/guacd -L debug -f bash: ./usr/local/sbin/guacd: No such file or directory root@guac:~# root@guac:~# /usr/local/sbin/guacd -L debug -f guacd[765]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started guacd[765]: DEBUG: Successfully bound AF_INET socket to host 127.0.0.1, port 4822 guacd[765]: INFO: Listening on host 127.0.0.1, port 4822 > > > connection attempts result in "you have been disconnected" < < < ^C root@guac:~# systemctl status guacd ? guacd.service - LSB: Guacamole proxy daemon Loaded: loaded (/etc/init.d/guacd; generated) Active: inactive (dead) since Mon 2022-02-28 10:25:41 CST; 2min 17s ago Docs: man:systemd-sysv-generator(8) Process: 524 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS) Process: 746 ExecStop=/etc/init.d/guacd stop (code=exited, status=0/SUCCESS) CPU: 23ms Feb 28 10:24:47 guac guacd[524]: Starting guacd: Feb 28 10:24:47 guac guacd[527]: guacd[527]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 10:24:47 guac guacd[524]: SUCCESS Feb 28 10:24:47 guac systemd[1]: Started LSB: Guacamole proxy daemon. Feb 28 10:24:47 guac guacd[594]: Listening on host 127.0.0.1, port 4822 Feb 28 10:25:41 guac systemd[1]: Stopping LSB: Guacamole proxy daemon... Feb 28 10:25:41 guac guacd[746]: Stopping guacd: SUCCESS Feb 28 10:25:41 guac systemd[1]: guacd.service: Succeeded. Feb 28 10:25:41 guac systemd[1]: guacd.service: Unit process 594 (guacd) remains running after unit stopped. Feb 28 10:25:41 guac systemd[1]: Stopped LSB: Guacamole proxy daemon. root@guac:~# root@guac:~# root@guac:~# ss -alnp | grep guacd root@guac:~# root@guac:~# root@guac:~# root@guac:~# tail -10 /var/log/syslog Feb 28 10:25:07 guac systemd[1]: Started Session 1 of user theadmin. Feb 28 10:25:07 guac systemd[1]: Started Session 3 of user theadmin. Feb 28 10:25:41 guac systemd[1]: Stopping LSB: Guacamole proxy daemon... Feb 28 10:25:41 guac guacd[746]: Stopping guacd: SUCCESS Feb 28 10:25:41 guac systemd[1]: guacd.service: Succeeded. Feb 28 10:25:41 guac systemd[1]: guacd.service: Unit process 594 (guacd) remains running after unit stopped. Feb 28 10:25:41 guac systemd[1]: Stopped LSB: Guacamole proxy daemon. Feb 28 10:26:38 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 10:26:38 guac guacd[765]: Successfully bound AF_INET socket to host 127.0.0.1, port 4822 Feb 28 10:26:38 guac guacd[765]: Listening on host 127.0.0.1, port 4822 root@guac:~# root@guac:~# tail -10 /var/log/tomcat9/catalina.out [2022-02-28 10:27:05] [info]
Re: Problems with GuacamoleHTTPTunnelServlet
el request failed: Connection to guacd timed out. [2022-02-28 08:46:09] [info] 08:46:09.524 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. root@guac:~# Sent: Monday, February 28, 2022 at 8:30 AM From: "Nick Couchman" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet On Mon, Feb 28, 2022 at 9:02 AM Jim Rx <jimr...@mail.com> wrote: Nick, Sorry for the delayed reply, We had ice storms and it kept me from work. So I'm not really any further. I killed guacd (systemctl stop guacd), and then, as root, from the /etc/init.d directory, ran ./guacd start -L debug -f No, this won't work - you'll want the path to the actual guacd binary, not the init script. The path to the binary can be found in the init script, but it's different from the script. May be something like /usr/local/sbin/guacd or /usr/sbin/guacd, something like that. -Nick - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Problems with GuacamoleHTTPTunnelServlet
Nick, Sorry for the delayed reply, We had ice storms and it kept me from work. So I'm not really any further. I killed guacd (systemctl stop guacd), and then, as root, from the /etc/init.d directory, ran ./guacd start -L debug -f I'm not getting anything on console, but checking journalctl -xe I see the same "no such tunnel" and "connection to guacd timed out" messages BTW - this is on Debian 11, if that has any bearing Thanks Jim root@guac:/etc/init.d# ./guacd start -L debug -f Starting guacd: guacd[4427]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started SUCCESS root@guac:/etc/init.d# journalctl -xe Feb 28 07:53:42 guac systemd[1]: Stopping LSB: Guacamole proxy daemon... ¦¦ Subject: A stop job for unit guacd.service has begun execution ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ A stop job for unit guacd.service has begun execution. ¦¦ ¦¦ The job identifier is 3112. Feb 28 07:53:42 guac guacd[4422]: Stopping guacd: SUCCESS Feb 28 07:53:42 guac systemd[1]: guacd.service: Succeeded. ¦¦ Subject: Unit succeeded ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ The unit guacd.service has successfully entered the 'dead' state. Feb 28 07:53:42 guac systemd[1]: guacd.service: Unit process 4354 (guacd) remains running after unit stopped. Feb 28 07:53:42 guac systemd[1]: Stopped LSB: Guacamole proxy daemon. ¦¦ Subject: A stop job for unit guacd.service has finished ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ A stop job for unit guacd.service has finished. ¦¦ ¦¦ The job identifier is 3112 and the job result is done. Feb 28 07:53:55 guac guacd[4427]: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 07:53:55 guac guacd[4429]: Listening on host 127.0.0.1, port 4822 root@guac:/etc/init.d# journalctl -xe Feb 28 07:53:42 guac systemd[1]: Stopping LSB: Guacamole proxy daemon... ¦¦ Subject: A stop job for unit guacd.service has begun execution ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ A stop job for unit guacd.service has begun execution. ¦¦ ¦¦ The job identifier is 3112. Feb 28 07:53:42 guac guacd[4422]: Stopping guacd: SUCCESS Feb 28 07:53:42 guac systemd[1]: guacd.service: Succeeded. ¦¦ Subject: Unit succeeded ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ The unit guacd.service has successfully entered the 'dead' state. Feb 28 07:53:42 guac systemd[1]: guacd.service: Unit process 4354 (guacd) remains running after unit stopped. Feb 28 07:53:42 guac systemd[1]: Stopped LSB: Guacamole proxy daemon. ¦¦ Subject: A stop job for unit guacd.service has finished ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ A stop job for unit guacd.service has finished. ¦¦ ¦¦ The job identifier is 3112 and the job result is done. Feb 28 07:53:55 guac guacd[4427]: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 07:53:55 guac guacd[4429]: Listening on host 127.0.0.1, port 4822 Feb 28 07:54:28 guac tomcat9[4361]: 07:54:28.098 [http-nio-8080-exec-9] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. Feb 28 07:54:38 guac tomcat9[4361]: 07:54:38.128 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd ti> root@guac:/etc/init.d# journalctl -xe Feb 28 07:53:42 guac systemd[1]: Stopping LSB: Guacamole proxy daemon... ¦¦ Subject: A stop job for unit guacd.service has begun execution ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ A stop job for unit guacd.service has begun execution. ¦¦ ¦¦ The job identifier is 3112. Feb 28 07:53:42 guac guacd[4422]: Stopping guacd: SUCCESS Feb 28 07:53:42 guac systemd[1]: guacd.service: Succeeded. ¦¦ Subject: Unit succeeded ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ The unit guacd.service has successfully entered the 'dead' state. Feb 28 07:53:42 guac systemd[1]: guacd.service: Unit process 4354 (guacd) remains running after unit stopped. Feb 28 07:53:42 guac systemd[1]: Stopped LSB: Guacamole proxy daemon. ¦¦ Subject: A stop job for unit guacd.service has finished ¦¦ Defined-By: systemd ¦¦ Support: https://www.debian.org/support ¦¦ ¦¦ A stop job for unit guacd.service has finished. ¦¦ ¦¦ The job identifier is 3112 and the job result is done. Feb 28 07:53:55 guac guacd[4427]: Guacamole proxy daemon (guacd) version 1.4.0 started Feb 28 07:53:55 guac guacd[4429]: Listening on host 127.0.0.1, port 4822 Feb 28 07:54:28 guac tomcat9[4361]: 07:54:28.098 [http-nio-8080-exec-9] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. Feb 28 07:54:38 guac tomcat9[4361]: 07:54:38.128 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd ti> Feb 28 07:54:58 guac tomcat9[4361]: 07:54:58.541 [http-nio-8080-exec-5] WARN o.a.g.s.GuacamoleHTTPTunnelServlet -
Re: Problems with GuacamoleHTTPTunnelServlet
I attempted several connections. All of them gave me a "disconnected" message cat /var/log/tomcat9/catalina.out [2022-02-23 09:40:19] [info] 09:40:19.112 [http-nio-8080-exec-6] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. [2022-02-23 09:40:29] [info] 09:40:29.189 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. [2022-02-23 09:40:34] [info] 09:40:34.615 [http-nio-8080-exec-9] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. [2022-02-23 09:40:44] [info] 09:40:44.661 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. [2022-02-23 09:40:52] [info] 09:40:52.261 [http-nio-8080-exec-4] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. [2022-02-23 09:41:02] [info] 09:41:02.306 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. [2022-02-23 09:41:06] [info] 09:41:06.449 [http-nio-8080-exec-3] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. cat /var/log/syslog Feb 23 09:39:41 guac systemd[1]: tomcat9.service: Succeeded. Feb 23 09:39:41 guac systemd[1]: Stopped Apache Tomcat 9 Web Application Server. Feb 23 09:39:41 guac systemd[1]: tomcat9.service: Consumed 16.601s CPU time. Feb 23 09:39:41 guac systemd[1]: Starting Apache Tomcat 9 Web Application Server... Feb 23 09:39:41 guac systemd[1]: Started Apache Tomcat 9 Web Application Server. root@guac:/etc/guacamole# Thank you Jim Sent: Wednesday, February 23, 2022 at 9:06 AM From: "Nick Couchman" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet On Wed, Feb 23, 2022 at 9:26 AM Jim Rx <jimr...@mail.com> wrote: Maybe there is an issue between tomcat and guacd? The full error message I'm receiving is as follows: [date/time] [info] [time] [http-nio-8080-exec-10] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. and [date/time] [info] [time] [http-nio-8080-exec-2] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. in the logs, the number following exec varies Any thoughts? What do the guacd logs say during this time (usually in syslog/journalctl)? -NIck - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Problems with GuacamoleHTTPTunnelServlet
Maybe there is an issue between tomcat and guacd? The full error message I'm receiving is as follows: [date/time] [info] [time] [http-nio-8080-exec-10] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel. and [date/time] [info] [time] [http-nio-8080-exec-2] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. in the logs, the number following exec varies Any thoughts? Thanks Jim Sent: Tuesday, February 22, 2022 at 2:58 PM From: "Jim Rx" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet As a follow up, I've tested RDP directly to the target boxes and it works with no issues. Sent: Tuesday, February 22, 2022 at 11:06 AM From: "Jim Rx" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet Yes, it is running. I had to add the guacd.conf file to get it to stop listening to ::1 port 4822. It is now listening to 127.0.0.1 port 4822 root@guac:/home/theadmin# systemctl status guacd ● guacd.service - LSB: Guacamole proxy daemon Loaded: loaded (/etc/init.d/guacd; generated) Active: active (running) since Tue 2022-02-22 09:46:45 CST; 1h 17min ago Docs: man:systemd-sysv-generator(8) Process: 763 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCE> Tasks: 1 (limit: 4639) Memory: 13.7M CPU: 20ms CGroup: /system.slice/guacd.service └─767 /usr/local/sbin/guacd -p /var/run/guacd.pid Feb 22 09:46:45 guac systemd[1]: Starting LSB: Guacamole proxy daemon... Feb 22 09:46:45 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 s> Feb 22 09:46:45 guac guacd[763]: Starting guacd: Feb 22 09:46:45 guac guacd[765]: guacd[765]: INFO: Guacamole proxy daemo> Feb 22 09:46:45 guac guacd[763]: SUCCESS Feb 22 09:46:45 guac systemd[1]: Started LSB: Guacamole proxy daemon. Feb 22 09:46:45 guac guacd[767]: Listening on host 127.0.0.1, port 4822 Sent: Tuesday, February 22, 2022 at 10:51 AM From: "Nick Couchman" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet On Tue, Feb 22, 2022 at 11:01 AM Jim Rx <jimr...@mail.com> wrote: Hello, So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck. -The machines have IP connectivity -Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out: HTTP tunnel request failed: Connection to guacd timed out HTTP tunnel request failed: No such tunnel I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs. Any suggestions where to look? Is guacd running? If so, is it listening on the IPv4 address (127.0.0.1)? You may need to configure it to listen on IPv4 by setting up a guacd.conf file with the bind_host set to 127.0.0.1. Newer Linux distros tend to default to IPv6, particularly for loopback traffic, and this won't work between Tomcat and guacd by default. https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd -Nick - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Problems with GuacamoleHTTPTunnelServlet
As a follow up, I've tested RDP directly to the target boxes and it works with no issues. Sent: Tuesday, February 22, 2022 at 11:06 AM From: "Jim Rx" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet Yes, it is running. I had to add the guacd.conf file to get it to stop listening to ::1 port 4822. It is now listening to 127.0.0.1 port 4822 root@guac:/home/theadmin# systemctl status guacd ● guacd.service - LSB: Guacamole proxy daemon Loaded: loaded (/etc/init.d/guacd; generated) Active: active (running) since Tue 2022-02-22 09:46:45 CST; 1h 17min ago Docs: man:systemd-sysv-generator(8) Process: 763 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCE> Tasks: 1 (limit: 4639) Memory: 13.7M CPU: 20ms CGroup: /system.slice/guacd.service └─767 /usr/local/sbin/guacd -p /var/run/guacd.pid Feb 22 09:46:45 guac systemd[1]: Starting LSB: Guacamole proxy daemon... Feb 22 09:46:45 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 s> Feb 22 09:46:45 guac guacd[763]: Starting guacd: Feb 22 09:46:45 guac guacd[765]: guacd[765]: INFO: Guacamole proxy daemo> Feb 22 09:46:45 guac guacd[763]: SUCCESS Feb 22 09:46:45 guac systemd[1]: Started LSB: Guacamole proxy daemon. Feb 22 09:46:45 guac guacd[767]: Listening on host 127.0.0.1, port 4822 Sent: Tuesday, February 22, 2022 at 10:51 AM From: "Nick Couchman" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet On Tue, Feb 22, 2022 at 11:01 AM Jim Rx <jimr...@mail.com> wrote: Hello, So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck. -The machines have IP connectivity -Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out: HTTP tunnel request failed: Connection to guacd timed out HTTP tunnel request failed: No such tunnel I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs. Any suggestions where to look? Is guacd running? If so, is it listening on the IPv4 address (127.0.0.1)? You may need to configure it to listen on IPv4 by setting up a guacd.conf file with the bind_host set to 127.0.0.1. Newer Linux distros tend to default to IPv6, particularly for loopback traffic, and this won't work between Tomcat and guacd by default. https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd -Nick - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Problems with GuacamoleHTTPTunnelServlet
Yes, it is running. I had to add the guacd.conf file to get it to stop listening to ::1 port 4822. It is now listening to 127.0.0.1 port 4822 root@guac:/home/theadmin# systemctl status guacd ● guacd.service - LSB: Guacamole proxy daemon Loaded: loaded (/etc/init.d/guacd; generated) Active: active (running) since Tue 2022-02-22 09:46:45 CST; 1h 17min ago Docs: man:systemd-sysv-generator(8) Process: 763 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCE> Tasks: 1 (limit: 4639) Memory: 13.7M CPU: 20ms CGroup: /system.slice/guacd.service └─767 /usr/local/sbin/guacd -p /var/run/guacd.pid Feb 22 09:46:45 guac systemd[1]: Starting LSB: Guacamole proxy daemon... Feb 22 09:46:45 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 s> Feb 22 09:46:45 guac guacd[763]: Starting guacd: Feb 22 09:46:45 guac guacd[765]: guacd[765]: INFO: Guacamole proxy daemo> Feb 22 09:46:45 guac guacd[763]: SUCCESS Feb 22 09:46:45 guac systemd[1]: Started LSB: Guacamole proxy daemon. Feb 22 09:46:45 guac guacd[767]: Listening on host 127.0.0.1, port 4822 Sent: Tuesday, February 22, 2022 at 10:51 AM From: "Nick Couchman" To: user@guacamole.apache.org Subject: Re: Problems with GuacamoleHTTPTunnelServlet On Tue, Feb 22, 2022 at 11:01 AM Jim Rx <jimr...@mail.com> wrote: Hello, So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck. -The machines have IP connectivity -Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out: HTTP tunnel request failed: Connection to guacd timed out HTTP tunnel request failed: No such tunnel I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs. Any suggestions where to look? Is guacd running? If so, is it listening on the IPv4 address (127.0.0.1)? You may need to configure it to listen on IPv4 by setting up a guacd.conf file with the bind_host set to 127.0.0.1. Newer Linux distros tend to default to IPv6, particularly for loopback traffic, and this won't work between Tomcat and guacd by default. https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd -Nick - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Problems with GuacamoleHTTPTunnelServlet
Hello, So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck. -The machines have IP connectivity -Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out: HTTP tunnel request failed: Connection to guacd timed out HTTP tunnel request failed: No such tunnel I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs. Any suggestions where to look? Thanks Jim - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Manual database update
Thanks for the advice. I'm not yet fluent with using APIs, so discovering the APIs for Guacamole is a tall task I'm not ready to take on. So, back to the white board it is. Sent: Tuesday, February 15, 2022 at 2:57 PM From: "Craig Sawyer" To: user@guacamole.apache.org Subject: Re: Manual database update in the PG database, ` nextval('guacamole_entity_entity_id_seq'::regclass)`, i.e. the entity ID is created for you, and you probably shouldn't mess with that. You appear to be using MySQL and it's apparently due to MySQL Strict Mode, whatever that is(not a MySQL user). You probably don't want to turn it off, MySQL isn't known for being the best data safety steward by default, so turning off the default on safety stuff seems like a bad idea. Instead I'd just add/delete users based on their username, which should be unique across your organization anyway. You can always figure out the entity ID if needed. i.e. use a null value for the ID, and let the DB create the entity_id #'s for you. For us, we use the somehwat undocumented API instead to do these things from python code(any language possible), but it's exactly the same use-case. We programatically setup guac users and connections before the user ever connects to Guac as part of our sync users to HR system. -Craig On Tue, Feb 15, 2022 at 12:34 PM Jim Rx wrote: > > Hello - I am attempting to manually control the contents of the guacmole_entity, guacamole_user, and guacamole_connection_permission tables. > > My overall goal is the script the provisioning of connections. I would like to be in a position where our users can log in to guacamole and already have their connections defined and assigned to their profile. > > My planned approach to this is to create a txt/csv file with the proper entries for each of the tables, and then use those to manually load into the tables. > > I'm running into my first issue with the guacamole_entity table. As it stands, there is one entry in the table, entity_id 1, which is guacadmin. > > The reason I want to manually control the entity_id is so that I can reliably delete those entries when the group of users depart and their connections are no longer needed. > > I have a txt file with a few users in it, and I am attempting to manually define the entity_id. The text file for my tests looks like this: > 101,2299Bbob,USER > 102,2299JWill,USER > 103,2299SDogg,USER > 104,2299AUser,USER > > When I try to import this into the entity table, I receive an error that says I have an incorrect integer value. Specifically: > > ERROR 1366 (22007) at line 1: Incorrect integer value: '101' for colum `guacamole_db`.`guacamole_entity`.`entity_id` at row 1 > > Any suggestions? > > Thanks > > Jim > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Manual database update
Hello - I am attempting to manually control the contents of the guacmole_entity, guacamole_user, and guacamole_connection_permission tables. My overall goal is the script the provisioning of connections. I would like to be in a position where our users can log in to guacamole and already have their connections defined and assigned to their profile. My planned approach to this is to create a txt/csv file with the proper entries for each of the tables, and then use those to manually load into the tables. I'm running into my first issue with the guacamole_entity table. As it stands, there is one entry in the table, entity_id 1, which is guacadmin. The reason I want to manually control the entity_id is so that I can reliably delete those entries when the group of users depart and their connections are no longer needed. I have a txt file with a few users in it, and I am attempting to manually define the entity_id. The text file for my tests looks like this: 101,2299Bbob,USER 102,2299JWill,USER 103,2299SDogg,USER 104,2299AUser,USER When I try to import this into the entity table, I receive an error that says I have an incorrect integer value. Specifically: ERROR 1366 (22007) at line 1: Incorrect integer value: '101' for colum `guacamole_db`.`guacamole_entity`.`entity_id` at row 1 Any suggestions? Thanks Jim - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: *LONG* Directly using SQL tables
Johnathan, I was over-complicating things. Salting the hashes is not a big deal (as I've discovered). So the key to the whole thing working was the guacamole_user table. I had to add the entries there as well. The trick is the password_hash... the fields for the password_hash and password_salt are binary(32). So when I took our common starting point password "$UPER$ecret" and hashed it with SHA256 (I used on online hash tool), I had to divide the 64 hex characters it returned into two 32-character strings, one in the password_hash field and one in the password_salt field. There are a couple more mandatory fields in that table and then it imports just fine. After that, as long as the users are in AD, they can log in just fine and they have connections set up. The guacamole_user table works out to look like this in the csv file: 141,141,98FBF2243B9D9A9F93B7D87DAC20C8CD,CCB8315A0A5F02340A115F6A846113D0,2022-01-01 00:01:00,0,0,\N,\N,\N,\N,CST,\N,\N,\N,\N So I can salt the hashes to protect the common starting password, and all is well. Thanks again, Jim Sent: Thursday, January 13, 2022 at 1:14 PM From: "Hankins, Jonathan" To: user@guacamole.apache.org Subject: Re: *LONG* Directly using SQL tables The docs indicate that the only thing required for auto-create to work, once it's enabled, is for a successful authentication from another extension, so I would expect that it should be creating accounts for you if they are successfully authenticating against LDAP. Haven't tested in our environment. As far as adding unsalted passwords, make sure to heed the warning in the docs. Even if you are using the database accounts as "dummies" and they are all authenticating against LDAP, I *believe* that they can still auth against the database with the password in the DB, regardless of LDAP. May be wrong on that, but if that's right, and your DB was compromised, the unsalted hashes are easy to break. There is a code example in the docs about how to salt the hashes in MySQL. On Thu, Jan 13, 2022 at 11:38 AM Jim Rx <jimr...@mail.com> wrote: Johnathan, Thanks for your reply. I checked and you are right -- the import into the guacamole_entity table was successful, but there are no corresponding entries being created in the guacamole_user table. We are using LDAP, and we have the auto-create option "mysql-auto-create-accounts: true" configured. I assume that if the account already exists in the database, then it's a push. Since database authentication is "subordinate" to other authentication extensions, I think I'll try and add to the user table manually with unsalted gibberish passwords and see if it works. Jim Sent: Thursday, January 13, 2022 at 10:45 AM From: "Hankins, Jonathan" <jhank...@homewood.k12.al.us> To: user@guacamole.apache.org Subject: Re: *LONG* Directly using SQL tables I am using Postgres, but one thing I noticed that's different with my setup is I am not specifying the entity_id -- it is an auto-increment field in MySQL (serial in Postgres). I think you don't have anything in the guacamole_user table for the entities you are creating. Have a look at: https://guacamole.apache.org/doc/gug/jdbc-auth.html#users Also, since you are using LDAP for auth, you may be able to shortcut all of this, have a look at: https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users On Tue, Jan 11, 2022 at 11:09 AM Jim Rx <jimr...@mail.com> wrote: Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases. Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory. We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year. Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything. All authentication is pointed at our Windows Domain Controller using LDAP. I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems). When using this method, u
Re: *LONG* Directly using SQL tables
Thanks for your response Craig. Python may be the next step, although there is a learning curve for us. I'll keep this handy. Thanks Jim Sent: Thursday, January 13, 2022 at 11:46 AM From: "Craig Sawyer" To: user@guacamole.apache.org Subject: Re: *LONG* Directly using SQL tables What we do, instead of altering the DB directly, is use the API. There is some python code running around, like https://github.com/pschmitt/guacapy to make changes to Guac. I'm guessing that code will need to be updated for 1.4.0 by adding "Content-Type":"application/x-www-form-urlencoded" to the headers. (This is not tested or checked, just based on my personal observations with my API code) -Craig On Thu, Jan 13, 2022 at 9:38 AM Jim Rx wrote: > > > Johnathan, > > Thanks for your reply. > > I checked and you are right -- the import into the guacamole_entity table was successful, but there are no corresponding entries being created in the guacamole_user table. > > We are using LDAP, and we have the auto-create option "mysql-auto-create-accounts: true" configured. I assume that if the account already exists in the database, then it's a push. > > Since database authentication is "subordinate" to other authentication extensions, I think I'll try and add to the user table manually with unsalted gibberish passwords and see if it works. > > Jim > Sent: Thursday, January 13, 2022 at 10:45 AM > From: "Hankins, Jonathan" > To: user@guacamole.apache.org > Subject: Re: *LONG* Directly using SQL tables > I am using Postgres, but one thing I noticed that's different with my setup is I am not specifying the entity_id -- it is an auto-increment field in MySQL (serial in Postgres). > > I think you don't have anything in the guacamole_user table for the entities you are creating. Have a look at: > > https://guacamole.apache.org/doc/gug/jdbc-auth.html#users > > Also, since you are using LDAP for auth, you may be able to shortcut all of this, have a look at: > > https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users > > > > > On Tue, Jan 11, 2022 at 11:09 AM Jim Rx wrote: >> >> Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases. >> >> Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory. >> >> We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year. >> >> Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything. >> >> All authentication is pointed at our Windows Domain Controller using LDAP. >> >> I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems). >> >> When using this method, user login attempts fail with no apparent log entries (I think I checked them all... /var/etc/tomcat9/ catalina.out, localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log; /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log guac_error.log ). >> If I only add the connection information (nothing in the entity or permissions tables) then the user can log in successfully, but I have to go back and manually add their connection information. I'd like to keep from doing things manually as possible. >> >> Below are the details of the configuration and the SQL commands I used in my attempts. >> >> Thank you >> >> Jim >> >> /etc/guacamole/guacamole.properties looks like this: >> guacd-hostname: localhost >> guacd-port: 4822 >> user-mapping: /etc/guacamole/user-mapping.xml >> auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider >> >> # MySQL properties >> mysql-hostname: localhost >> mysql-port: 3306 >> mysql-database: guacamole_db >> mysql-username: guacamole_user >> mysql-password: $UPER$ecret >> mysql-auto-create-accounts: true >
Re: *LONG* Directly using SQL tables
Johnathan, Thanks for your reply. I checked and you are right -- the import into the guacamole_entity table was successful, but there are no corresponding entries being created in the guacamole_user table. We are using LDAP, and we have the auto-create option "mysql-auto-create-accounts: true" configured. I assume that if the account already exists in the database, then it's a push. Since database authentication is "subordinate" to other authentication extensions, I think I'll try and add to the user table manually with unsalted gibberish passwords and see if it works. Jim Sent: Thursday, January 13, 2022 at 10:45 AM From: "Hankins, Jonathan" To: user@guacamole.apache.org Subject: Re: *LONG* Directly using SQL tables I am using Postgres, but one thing I noticed that's different with my setup is I am not specifying the entity_id -- it is an auto-increment field in MySQL (serial in Postgres). I think you don't have anything in the guacamole_user table for the entities you are creating. Have a look at: https://guacamole.apache.org/doc/gug/jdbc-auth.html#users Also, since you are using LDAP for auth, you may be able to shortcut all of this, have a look at: https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users On Tue, Jan 11, 2022 at 11:09 AM Jim Rx <jimr...@mail.com> wrote: Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases. Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory. We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year. Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything. All authentication is pointed at our Windows Domain Controller using LDAP. I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems). When using this method, user login attempts fail with no apparent log entries (I think I checked them all... /var/etc/tomcat9/ catalina.out, localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log; /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log guac_error.log ). If I only add the connection information (nothing in the entity or permissions tables) then the user can log in successfully, but I have to go back and manually add their connection information. I'd like to keep from doing things manually as possible. Below are the details of the configuration and the SQL commands I used in my attempts. Thank you Jim /etc/guacamole/guacamole.properties looks like this: guacd-hostname: localhost guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # MySQL properties mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: $UPER$ecret mysql-auto-create-accounts: true # LDAP Properties ldap-hostname: 10.0.0.10 ldap-port: 389 ldap-encryption-method: none #ldap-user-base-dn: OU=them, DC=our, DC=net ldap-user-base-dn: DC=our,DC=net ldap-username-attribute: samAccountName ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=our, dc=net ldap-search-bind-password: $UPER$ecret #ldap-user-search-filter: (objectClass=user)(!(objectCategory=computer)) ldap-user-search-filter: (sAMAccountType=805306368) The process that I attempted to use was as follows: Create the required CSV files- NEW_STUDENT_CONNECTION.csv: 284,NS-Linux-01,\N,rdp,\N,\N,\N,\N,\N,\N,0 285,NS-Linux-02,\N,rdp,\N,\N,\N,\N,\N,\N,0 286,NS-Linux-03,\N,rdp,\N,\N,\N,\N,\N,\N,0 287,NS-Linux-04,\N,rdp,\N,\N,\N,\N,\N,\N,0 314,NS-Windows-01,\N,rdp,\N,\N,\N,\N,\N,\N,0 315,NS-Windows-02,\N,rdp,\N,\N,\N,\N,\N,\N,0 316,NS-Windows-03,\N,rdp,\N,\N,\N,\N,\N,\N,0 317,NS-Windows-04,\N,rdp,\N,\N,\N,\N,\N,\N,0 NEW_STUDENT_CONNECTION_PARAMETERS.csv: 284,hostname,10.16.6.100 284,ignore-cert,true 284,port,3389 285,hostname,10.16.6.101 285,ignore-cert,true 285,port,3389 286,hostname,10.16.6.102 2
*LONG* Directly using SQL tables
Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases. Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory. We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year. Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything. All authentication is pointed at our Windows Domain Controller using LDAP. I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems). When using this method, user login attempts fail with no apparent log entries (I think I checked them all... /var/etc/tomcat9/ catalina.out, localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log; /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log guac_error.log ). If I only add the connection information (nothing in the entity or permissions tables) then the user can log in successfully, but I have to go back and manually add their connection information. I'd like to keep from doing things manually as possible. Below are the details of the configuration and the SQL commands I used in my attempts. Thank you Jim /etc/guacamole/guacamole.properties looks like this: guacd-hostname: localhost guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # MySQL properties mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: $UPER$ecret mysql-auto-create-accounts: true # LDAP Properties ldap-hostname: 10.0.0.10 ldap-port: 389 ldap-encryption-method: none #ldap-user-base-dn: OU=them, DC=our, DC=net ldap-user-base-dn: DC=our,DC=net ldap-username-attribute: samAccountName ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=our, dc=net ldap-search-bind-password: $UPER$ecret #ldap-user-search-filter: (objectClass=user)(!(objectCategory=computer)) ldap-user-search-filter: (sAMAccountType=805306368) The process that I attempted to use was as follows: Create the required CSV files- NEW_STUDENT_CONNECTION.csv: 284,NS-Linux-01,\N,rdp,\N,\N,\N,\N,\N,\N,0 285,NS-Linux-02,\N,rdp,\N,\N,\N,\N,\N,\N,0 286,NS-Linux-03,\N,rdp,\N,\N,\N,\N,\N,\N,0 287,NS-Linux-04,\N,rdp,\N,\N,\N,\N,\N,\N,0 314,NS-Windows-01,\N,rdp,\N,\N,\N,\N,\N,\N,0 315,NS-Windows-02,\N,rdp,\N,\N,\N,\N,\N,\N,0 316,NS-Windows-03,\N,rdp,\N,\N,\N,\N,\N,\N,0 317,NS-Windows-04,\N,rdp,\N,\N,\N,\N,\N,\N,0 NEW_STUDENT_CONNECTION_PARAMETERS.csv: 284,hostname,10.16.6.100 284,ignore-cert,true 284,port,3389 285,hostname,10.16.6.101 285,ignore-cert,true 285,port,3389 286,hostname,10.16.6.102 286,ignore-cert,true 286,port,3389 287,hostname,10.16.6.103 287,ignore-cert,true 287,port,3389 314,hostname,10.16.6.130 314,ignore-cert,true 314,port,3389 315,hostname,10.16.6.131 315,ignore-cert,true 315,port,3389 316,hostname,10.16.6.132 316,ignore-cert,true 316,port,3389 317,hostname,10.16.6.133 317,ignore-cert,true 317,port,3389 NEW_STUDENT_ENTITY.csv: 141,2299shenry,USER 142,2299sjones,USER 143,2299bsmith,USER 144,2299gstetson,USER NEW_STUDENT_CONNECTION_PERMISSIONS.csv: 141,284,READ 141,314,READ 142,285,READ 142,315,READ 143,286,READ 143,316,READ 144,287,READ 144,317,READ Once the files were in place on the server, I ran the following commands: mysql -u root use guacamole_db; LOAD DATA INFILE '/tmp/NEW_STUDENT_CONNECTION.csv' INTO TABLE guacamole_connection FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'; LOAD DATA INFILE '/tmp/NEW_STUDENT_CONNECTION_PARAMETERS.csv' INTO TABLE guacamole_connection_parameter FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'; LOAD DATA INFILE '/tmp/NEW_STUDENT_ENTITY.csv' INTO TABLE guacamole_entity FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'; LOAD DATA INFILE '/tmp/NEW_STUDENT_CONNECTION_PERMISSIONS.csv' INTO TABLE guacamole_connection_permission FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'; exit; - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For
Re: New Active Directory users not showing in user list
Mike, Thank you for your detailed explanation. I believe all four conditions you've listed are true, and yet about 20 out of 150 users do not appear in the admin interface. We aren't having authentication issues. The users who don't appear in the webui can log in just fine. However, because they are not in the webui, I cannot assign connections to them, so when they log in they don't have anywhere to go. I will step through the conditions just to make sure I don't miss anything. 1) Guacadmin is in Active Directory as a standard user 2) Guacadmin is an admin user in the webui 3) The ldap-user binding in guacamole.properties is a service account assigned as a domain administrator in AD 4) The LDAP base is the entire domain, with a filter matching only normal user accounts (based on sAMAccountType). I can tell this is working because we have user accounts in the webui that come from different AD OU. One might think that the disconnect between guacadmin as a normal user in LDAP and the SVC.GUACAMOLE account being a Domain Admin could cause issues... but the majority of the LDAP users do appear in and are manipulated/managed by the webui, specifically connetion assignments. Any other information or analysis you might provide would be most appreciated. This system is in 'production', so I have limited ability to do more than view the configurations during the day for the next week or so, until we cycle down. Thanks Jim Sent: Wednesday, August 25, 2021 at 4:06 PM From: "Mike Jumper" To: user@guacamole.apache.org Subject: Re: New Active Directory users not showing in user list A user does not need to exist within the database to be able to log in, nor will they be automatically added to the database upon login. The entry you see in the database is _not_ the user being created, nor is it the user being partially created. It's the system recording that a login for a user occurred. There is no database permissions issue. To be clear, a user does not need to exist in the database for the user to be able to log in, nor do they need to exist in the database to be listed in the admin screen: * If a user can log in, that means that at least one authentication extension recognizes that user's credentials and has validated their identity. If you only have a database extension installed, then yes, this means they exist in the database. If you have both LDAP and a database extension installed, then this means they exist in LDAP or the database, etc. * If a user is listed in the admin interface, it means that the current user has permission to see that user according to at least one authentication extension. That user may exist in both LDAP and the database, they may exist only in LDAP, or they may exist only in the database. * There is an option to automatically create database users, but this is not needed except when using an extension that requires storage for all users (the TOTP extension). You do not need to enable this option simply to be able to see users, log in as those users, etc. If you are expecting to see LDAP users within the admin interface, but aren't, the way to troubleshoot that is not to execute queries against the database (which truly has nothing to do with LDAP), but to check the details of your user within LDAP. To see an LDAP user within the admin interface, the following must be true: 1) You must log in with LDAP credentials, not database credentials. You will not be able to see LDAP objects of any kind unless your credentials are recognized by the LDAP server, as it's your access rights within LDAP that dictate visibility of LDAP objects. 2) You must log in with LDAP credentials that match a user with admin privileges in the database. 3) Your LDAP user must have permission within LDAP to retrieve the details of the user in question. 4) The user in question must match the declared LDAP structure within guacamole.properties. This means they must be beneath the declared user base DN. If you specified an LDAP user search filter within guacamole.properties, the user must match that, too. Michael Jumper CEO, Lead Developer Glyptodon Inc. On Wed, Aug 25, 2021 at 1:54 PM Jim Rx <jimr...@mail.com> wrote: Nick, Thanks for that explanation. You may see from other messages in the thread that the user I was testing with was showing up in the guacamole_user_history table with a user_id of NULL. Without auto-create turned on, I'm confused as to how the accounts that do exist were created. I'm going to have to snapshot this VM and then adjust add the auto-create (after I read the reference you provided). Along with that -- how do I verify that the guacamole_user has the proper privileges? I used the grant select,insert,update,delete sql command that many pages suggest... but those changes never stick, even after the flush privileges command. Thanks Jim Sent: Wedn
Re: New Active Directory users not showing in user list
Nick, Thanks for that explanation. You may see from other messages in the thread that the user I was testing with was showing up in the guacamole_user_history table with a user_id of NULL. Without auto-create turned on, I'm confused as to how the accounts that do exist were created. I'm going to have to snapshot this VM and then adjust add the auto-create (after I read the reference you provided). Along with that -- how do I verify that the guacamole_user has the proper privileges? I used the grant select,insert,update,delete sql command that many pages suggest... but those changes never stick, even after the flush privileges command. Thanks Jim Sent: Wednesday, August 25, 2021 at 3:35 PM From: "Nick Couchman" To: user@guacamole.apache.org Subject: Re: New Active Directory users not showing in user list On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyerwrote: Huh, If they are logged into Guacamole, then they by definition have a guac account, so I'm confused as to why they aren't showing up in the list. Perhaps someone else here will have some ideas. There may be some confusion here as to what it means to "have a guac account." If you've enabled both the MySQL JDBC extension and the LDAP extensions, then users only need to exist in one of these two extensions in order to successfully authenticate. They do not have to be in both, and LDAP users do not have to have an entry in MySQL in order to successfully log in, nor does a successful login mean that the users will be automatically created - unless you enable this feature. See this manual page for more information: http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create Looking at the guacamole.properties output that was posted in the original question, I do not see the "mysql-auto-create-accounts" property anywhere, so Guacamole is not creating an entry for these users in the database. Also, it's important to understand that the default "guacadmin" account in the JDBC extensions will have *no visibility* into the LDAP tree to see possible users, unless you happen to have an LDAP user called "guacadmin" with the same password that is in the JDBC account. The LDAP extension leverages LDAP security for both the login and the retrieval of user and group information from LDAP. This tends to trip people up a bit, but it is a very deliberate design of the LDAP extension - it does not use the Search Bind DN for all or even most LDAP operations - it only uses the Search Bind DN to find the user who is trying to log in - once it locates that user, it unbinds and then re-binds as that user account and continues to retrieve other user accounts, LDAP groups, and/or connection information stored in LDAP. This means that, in order to see users, groups, and connections from LDAP, the user logging in to Guacamole needs to be an LDAP user, and needs to successfully bind to LDAP. -Nick - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: New Active Directory users not showing in user list
Craig, I just looked at the guacamole_entity table and the user I'm logged in with is not present in the table. However -- I also looked at the guacamole_user_history table, and the user IS listed with a NULL in the user_id field. So it appears that the user is not being inserted into SQL. So now I'm trying to figure how to get privileges to the guacamole_user in sql. I did the grant select,insert,update,delete on guacamole_db.* to 'guacamole_user'@'localhost' .. but no luck. guacamole_user doesn't exist in any of the tables in guacamole_db. That user does exist in the sql database, and shows no privileges. Jim Sent: Wednesday, August 25, 2021 at 3:21 PM From: "Craig Sawyer" To: user@guacamole.apache.org Subject: Re: New Active Directory users not showing in user list Huh, If they are logged into Guacamole, then they by definition have a guac account, so I'm confused as to why they aren't showing up in the list. Perhaps someone else here will have some ideas. The only thing that comes to mind at the moment is maybe MySQL is being mean and not showing the new inserted record for some reason? That would be odd, but it is MySQL, it's not known for sane behaviour by default. Can you see the account record in the MySQL DB? On Wed, Aug 25, 2021 at 1:12 PM Jim Rx wrote: > > Yes - I'm doing this right now while a user who doesn't appear is logged in, and they are not present in the list. > > Sent: Wednesday, August 25, 2021 at 3:05 PM > From: "Craig Sawyer" > To: user@guacamole.apache.org > Subject: Re: New Active Directory users not showing in user list > Did you refresh the web UI? (shift+click the reload button) it's not 100% live. > > -Craig > > On Wed, Aug 25, 2021 at 1:04 PM Jim Rx wrote: > > > > Craig, > > > > Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account. > > > > Thanks, > > > > Jim > > > > > > Sent: Wednesday, August 25, 2021 at 2:59 PM > > From: "Craig Sawyer" > > To: user@guacamole.apache.org > > Subject: Re: New Active Directory users not showing in user list > > They won't show up until after they login. LDAP requests from Guac are > > only triggered when an auth request happens. The corresponding guac > > account will then be created on the fly as it were. There is no > > "sync" between AD <-> Guac, except at login time. > > > > If they are unable to login, but everyone else can, then it's > > probably one of two things: > > > > 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to > > see the new users > > 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are > > not matching against this filter. > > > > -Craig > > > > On Wed, Aug 25, 2021 at 12:42 PM Jim Rx wrote: > > > > > > Hello, > > > > > > I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation. > > > > > > I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy. > > > > > > /etc/guacamole.properties looks like this: > > > ### > > > guacd-hostname: localhost > > > guacd-port: 4822 > > > user-mapping: /etc/guacamole/user-mapping.xml > > > auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > > > > > > mysql-hostname: localhost > > > mysql-port: 3306 > > > mysql-database: guacamole_db > > > mysql-username: guacamole_user > > > mysql-password: supersecretpassword > > > > > > ldap-hostname: 10.x.x.10 > > > ldap-port: 389 > > > ldap-encryption-method: none > > > ldap-user-base-dn: DC=mynet, DC=local > > > ldap-username-attribute: sAMAccountName > > > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local > > > ldap-search-bind-password: supersecretpassword > > > ldap-user-search-filter: (sAMAccountType=805306368) > > > ### > > > > > > right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked: > > > /var/log/syslog > > > /var/log/nginx/guac_access.log > > > /var/log/nginx/guac_error.log > > > /var/log/tomcat
Re: New Active Directory users not showing in user list
Yes - I'm doing this right now while a user who doesn't appear is logged in, and they are not present in the list. Sent: Wednesday, August 25, 2021 at 3:05 PM From: "Craig Sawyer" To: user@guacamole.apache.org Subject: Re: New Active Directory users not showing in user list Did you refresh the web UI? (shift+click the reload button) it's not 100% live. -Craig On Wed, Aug 25, 2021 at 1:04 PM Jim Rx wrote: > > Craig, > > Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account. > > Thanks, > > Jim > > > Sent: Wednesday, August 25, 2021 at 2:59 PM > From: "Craig Sawyer" > To: user@guacamole.apache.org > Subject: Re: New Active Directory users not showing in user list > They won't show up until after they login. LDAP requests from Guac are > only triggered when an auth request happens. The corresponding guac > account will then be created on the fly as it were. There is no > "sync" between AD <-> Guac, except at login time. > > If they are unable to login, but everyone else can, then it's > probably one of two things: > > 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to > see the new users > 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are > not matching against this filter. > > -Craig > > On Wed, Aug 25, 2021 at 12:42 PM Jim Rx wrote: > > > > Hello, > > > > I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation. > > > > I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy. > > > > /etc/guacamole.properties looks like this: > > ### > > guacd-hostname: localhost > > guacd-port: 4822 > > user-mapping: /etc/guacamole/user-mapping.xml > > auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > > > > mysql-hostname: localhost > > mysql-port: 3306 > > mysql-database: guacamole_db > > mysql-username: guacamole_user > > mysql-password: supersecretpassword > > > > ldap-hostname: 10.x.x.10 > > ldap-port: 389 > > ldap-encryption-method: none > > ldap-user-base-dn: DC=mynet, DC=local > > ldap-username-attribute: sAMAccountName > > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local > > ldap-search-bind-password: supersecretpassword > > ldap-user-search-filter: (sAMAccountType=805306368) > > ### > > > > right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked: > > /var/log/syslog > > /var/log/nginx/guac_access.log > > /var/log/nginx/guac_error.log > > /var/log/tomcat9/catalina.out > > > > I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI). > > > > Any suggestions would be greatly appreciated. > > > > Thanks > > > > Jim > > > > > > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: New Active Directory users not showing in user list
Craig, Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account. Thanks, Jim Sent: Wednesday, August 25, 2021 at 2:59 PM From: "Craig Sawyer" To: user@guacamole.apache.org Subject: Re: New Active Directory users not showing in user list They won't show up until after they login. LDAP requests from Guac are only triggered when an auth request happens. The corresponding guac account will then be created on the fly as it were. There is no "sync" between AD <-> Guac, except at login time. If they are unable to login, but everyone else can, then it's probably one of two things: 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to see the new users 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are not matching against this filter. -Craig On Wed, Aug 25, 2021 at 12:42 PM Jim Rx wrote: > > Hello, > > I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation. > > I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy. > > /etc/guacamole.properties looks like this: > ### > guacd-hostname: localhost > guacd-port: 4822 > user-mapping: /etc/guacamole/user-mapping.xml > auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > > mysql-hostname: localhost > mysql-port: 3306 > mysql-database: guacamole_db > mysql-username: guacamole_user > mysql-password: supersecretpassword > > ldap-hostname: 10.x.x.10 > ldap-port: 389 > ldap-encryption-method: none > ldap-user-base-dn: DC=mynet, DC=local > ldap-username-attribute: sAMAccountName > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local > ldap-search-bind-password: supersecretpassword > ldap-user-search-filter: (sAMAccountType=805306368) > ### > > right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked: > /var/log/syslog > /var/log/nginx/guac_access.log > /var/log/nginx/guac_error.log > /var/log/tomcat9/catalina.out > > I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI). > > Any suggestions would be greatly appreciated. > > Thanks > > Jim > > > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
New Active Directory users not showing in user list
Hello, I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation. I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy. /etc/guacamole.properties looks like this: ### guacd-hostname: localhost guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: supersecretpassword ldap-hostname: 10.x.x.10 ldap-port: 389 ldap-encryption-method: none ldap-user-base-dn: DC=mynet, DC=local ldap-username-attribute: sAMAccountName ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local ldap-search-bind-password: supersecretpassword ldap-user-search-filter: (sAMAccountType=805306368) ### right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked: /var/log/syslog /var/log/nginx/guac_access.log /var/log/nginx/guac_error.log /var/log/tomcat9/catalina.out I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI). Any suggestions would be greatly appreciated. Thanks Jim - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org